Tuesday, December 23, 2014

Customizing Samba on an ASUSWRT wireless router

Out of the box, the Asus RT-AC87 router has some handy, but limited, file and media sharing capabilities. Connect a USB hard drive to one of its USB ports, and the router can share data from that drive with anyone on your network - or optionally, with the outside world. The firmware implements Samba (a Linux-based program for sharing files similar to Windows file shares), but through the web interface you have only two options: allow everyone complete and anonymous access, or require a username and password for every connection. Samba can be configured far more granularly, but you cannot get there from the RT-AC87 web interface.

Friday, December 19, 2014

Time to patch again. This time it's ntpd

Ntpd, the network time protocol service, has a flaw that can be used to compromise a server or network router
It's late on a Friday, coming up on a holiday week. In other words, the perfect time to drop a major bug announcement, right? Someone seemed to think so. Alas this will mean much churn over the next few days for a great many IT shops.

The theme this year has been big vulnerabilities in common services or shared libraries - places where one bug might affect lots and lots of programs and devices. First it was a flaw in OpenSSL, the library that enables secure communication with websites around the world. Next came a flaw in Bash shell, a widely used Unix shell much like the Windows command line. Now it's ntpd, the Network Time Protocol service.

Thursday, December 18, 2014

A look back: 4 years, 100 posts

Over the last 4 years, this blog has covered a lot of ground. We've looked at safe surfing practices when using the Internet in a public location. We've looked at how to set up a home network to be reasonably secure. We've talked about password practices, and the value of two-factor authentication to secure more valuable accounts. We've discussed a rash of credit card thefts at major retailers. We've seen several severe flaws in services used widely on the Internet. This blog has even published several vulnerabilities and website flaws discovered by yours truly.

My goal in writing is two-fold: I write technical content in the hopes that other professionals will find value, but I also endeavor to educate those that have not made a career out of information security. To that end, if there is a topic you would like to know more about, or a topic I have not explained as clearly as you would like, I invite you to comment on this or any post, or send me a message at david (at) securityforrealpeople (dot) com.


Without further ado, a highly biased revue of top topics:

Monday, December 8, 2014

Solving a crypto puzzle with Python

A beginners guide to Python programming, to solve a Caesar cipher.
This December, computer security firm Sophos has been running a "12 Days of Christmas" contest, with cyber-related quizzes each day. So far the quizzes have ranged from hoaxes to malware authors to abandoned operating systems. Each of the questions have touched on topics relevant to hackers (using the traditional, inquisitive sense of the word ... hacking is not in and of itself evil!), and each have required skills useful to a cyber security pro - often, simply paying attention to detail and noticing clues.

Monday, December 1, 2014

Thanksgiving fun: reviving a busted power adapter

What do you do when a laptop A/C adapter breaks? When you are a family of geeks, you don't throw it out.
What do you do when a laptop A/C adapter breaks? When you are a family of geeks, you don't throw it out. There's a longstanding tongue-in-cheek tradition that Thanksgiving is the time when IT pros visit family and fix our parents' technology problems ... in this case, it was my teenage son's computer though, so was a perfect opportunity to have a little tech fun with my kid.